Slashdot Mirror

← Back to Stories (view on slashdot.org)

HandBrake Urges Mac Users To Verify Recent Download, Says Mirror Server Was Compromised (handbrake.fr)

Posted by msmash on from the security-woes dept.

HandBrake team, writing on their forum: Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it. Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you've downloaded HandBrake during this period. If you see a process called "Activity_agent" in the OSX Activity Monitor application. You are infected. HandBrake is a popular, open-source video conversion tool. The team hasn't issued any advisory for Windows users.

3 of 22 comments (clear)

  1. Actibity_agent by Anonymous Coward · · Score: 4, Informative

    Do not confuse Activity_agent with "Activity Monitor", which is a perfectly legitimate process and part of the core Mac OS tools.
    The trojan was likely named thus in order to maximize the potential for confusion.

  2. Summary from Article by CanadianMacFan · · Score: 4, Informative

    - HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki which mirrors these: https://github.com/HandBrake/H...

    - The Affected Download mirror (download.handbrake.fr) has been shutdown for investigation.

    - The Primary Download Mirror and website were unaffected.

    - Downloads via the applications built-in updater with 1.0 and later are unaffected. These are verified by a DSA Signature and will not install if they don't pass.

    - Downloads via the applications built-in updater with 0.10.5 and earlier did not have verification so you should check your system with these older releases

  3. Re:Was It Signed? by Midnight+Thunder · · Score: 3, Informative

    Handbrake is not signed, but they are interested in having it signed in the future.

    The challenge is they are neither an organisation or an individual developer. To be recognised as a legitimate organisation you need a DUNS and go through the required paper work. This leaves them with the individual developer approach, which would probably require a trusted person, part of the inner team that would sign on behalf of the team. There are risks of course, but not many good alternatives.

    I am wondering whether in the future the FSF could act as the necessary 'organisation', but then it is trying to work out the paper work, how to avoid abuse and what the cost would be. Yet another alternative would be for Apple to suggest a workable alternative. Maybe a notion of a team certificate, but with extra background checks? I am sure there are other good ideas out there.

    --
    Jumpstart the tartan drive.